ab origine ...

CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe"

Symbol search path is: C:\WINDOWS\Symbols

Executable search path is:

ModLoad: 00400000 0049a000   iexplore.exe

ModLoad: 7c900000 7c9b0000   ntdll.dll

ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll

ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll

ModLoad: 77e70000 77f01000   C:\WINDOWS\system32\RPCRT4.dll

ModLoad: 77f10000 77f56000   C:\WINDOWS\system32\GDI32.dll

ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\USER32.dll

ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll

ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll

ModLoad: 7c9c0000 7d1d4000   C:\WINDOWS\system32\SHELL32.dll

ModLoad: 774e0000 7761c000   C:\WINDOWS\system32\ole32.dll

ModLoad: 61410000 61534000   C:\WINDOWS\system32\urlmon.dll

ModLoad: 77120000 771ac000   C:\WINDOWS\system32\OLEAUT32.dll

ModLoad: 5dca0000 5dce5000   C:\WINDOWS\system32\iertutil.dll

ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll

(9a0.bc): Break instruction exception - code 80000003 (first chance)

eax=00241eb4 ebx=7ffde000 ecx=00000004 edx=00000010 esi=00241f48 edi=00241eb4

eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

ntdll!DbgBreakPoint:

7c901230 cc              int     3

0:000> g

ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL

ModLoad: 773d0000 774d2000  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

ModLoad: 5d090000 5d127000   C:\WINDOWS\system32\comctl32.dll

ModLoad: 7e1e0000 7e7a9000   C:\WINDOWS\system32\IEFRAME.dll

ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\PSAPI.DLL

ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\UxTheme.dll

ModLoad: 76cc0000 76ccb000   C:\Program Files\Internet Explorer\custsat.dll

ModLoad: 74720000 7476b000   C:\WINDOWS\system32\MSCTF.dll

ModLoad: 20000000 202c5000   C:\WINDOWS\system32\xpsp2res.dll

ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime

ModLoad: 5dff0000 5e01f000   C:\WINDOWS\system32\IEUI.dll

ModLoad: 76380000 76385000   C:\WINDOWS\system32\MSIMG32.dll

ModLoad: 4ec50000 4edf3000  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\gdiplus.dll

ModLoad: 47060000 47081000   C:\WINDOWS\system32\xmllite.dll

ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\apphelp.dll

ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL

ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll

ModLoad: 746f0000 7471a000   C:\WINDOWS\system32\msimtf.dll

ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll

ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll

ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll

ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll

ModLoad: 32520000 32532000   C:\Program Files\Microsoft Office\Office10\msohev.dll

ModLoad: 61930000 6197a000   C:\Program Files\Internet Explorer\ieproxy.dll

ModLoad: 771b0000 7727e000   C:\WINDOWS\system32\WININET.dll

ModLoad: 011e0000 011e9000   C:\WINDOWS\system32\Normaliz.dll

ModLoad: 75cf0000 75d81000   C:\WINDOWS\system32\MLANG.dll

ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\ws2_32.dll

ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll

ModLoad: 10000000 1000e000   C:\Program Files\Adobe\Acrobat7.0\ActiveX\AcroIEHelper.dll

ModLoad: 7c340000 7c396000   C:\WINDOWS\system32\MSVCR71.dll

ModLoad: 50110000 5015d000   C:\Program Files\CommonFiles\ReGetShared\Catcher.dll

ModLoad: 75e90000 75f40000   C:\WINDOWS\system32\SXS.DLL

ModLoad: 71a50000 71a8f000   C:\WINDOWS\system32\mswsock.dll

ModLoad: 662b0000 66308000   C:\WINDOWS\system32\hnetcfg.dll

ModLoad: 71a90000 71a98000   C:\WINDOWS\System32\wshtcpip.dll

ModLoad: 76ee0000 76f1c000   C:\WINDOWS\system32\RASAPI32.dll

ModLoad: 76e90000 76ea2000   C:\WINDOWS\system32\rasman.dll

ModLoad: 5b860000 5b8b4000   C:\WINDOWS\system32\NETAPI32.dll

ModLoad: 76eb0000 76edf000   C:\WINDOWS\system32\TAPI32.dll

ModLoad: 76e80000 76e8e000   C:\WINDOWS\system32\rtutils.dll

ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.dll

ModLoad: 5cd70000 5cd77000   C:\WINDOWS\system32\serwvdrv.dll

ModLoad: 5b0a0000 5b0a7000   C:\WINDOWS\system32\umdmxfrm.dll

ModLoad: 769c0000 76a73000   C:\WINDOWS\system32\USERENV.dll

ModLoad: 77c70000 77c93000   C:\WINDOWS\system32\msv1_0.dll

ModLoad: 76d60000 76d79000   C:\WINDOWS\system32\iphlpapi.dll

ModLoad: 02380000 02646000   C:\WINDOWS\system32\msi.dll

ModLoad: 722b0000 722b5000   C:\WINDOWS\system32\sensapi.dll

ModLoad: 71d40000 71d5c000   C:\WINDOWS\system32\actxprxy.dll

ModLoad: 76fc0000 76fc6000   C:\WINDOWS\system32\rasadhlp.dll

ModLoad: 7e830000 7eb9f000   C:\WINDOWS\system32\mshtml.dll

ModLoad: 746c0000 746e9000   C:\WINDOWS\system32\msls31.dll

ModLoad: 72ea0000 72f00000   C:\WINDOWS\system32\ieapfltr.dll

ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll

ModLoad: 77a80000 77b14000   C:\WINDOWS\system32\CRYPT32.dll

ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll

ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll

ModLoad: 77690000 776b1000   C:\WINDOWS\system32\NTMARTA.DLL

ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll

ModLoad: 71bf0000 71c03000   C:\WINDOWS\system32\SAMLIB.dll

ModLoad: 63380000 633f8000   C:\WINDOWS\system32\jscript.dll

ModLoad: 74d90000 74dfb000   C:\WINDOWS\system32\USP10.dll

ModLoad: 79000000 79045000   C:\WINDOWS\system32\mscoree.dll

ModLoad: 63f00000 63f0c000  C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorie.dll

ModLoad: 78130000 781cb000   C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll

ModLoad: 63f50000 63f68000  C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorld.dll

ModLoad: 64020000 64033000   C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll

ModLoad: 74e30000 74e9c000   C:\WINDOWS\system32\RichEd20.dll

ModLoad: 79e70000 7a3d1000  C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

ModLoad: 732d0000 732d5000   C:\WINDOWS\system32\SOFTPUB.DLL

ModLoad: 0ffd0000 0fff8000   C:\WINDOWS\system32\rsaenh.dll

ModLoad: 60340000 60348000   C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\culture.dll

ModLoad: 790c0000 79ba8000   C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\8777c689c6eb554fbb138a684f87bb16\mscorlib.ni.dll

ModLoad: 60650000 6065c000   IEHost.dll

ModLoad: 60650000 6065c000   C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll

ModLoad: 60680000 60688000   IIEHost.dll

ModLoad: 60680000 60688000   C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll

ModLoad: 79060000 790b3000   C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll

ModLoad: 7a440000 7abfe000   C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\578bcbd50836b0438e0e0510d3b21e7a\System.ni.dll

ModLoad: 11000000 11016000   image11000000

ModLoad: 11000000 11016000   image11000000

ModLoad: 11000000 11016000   image11000000

ModLoad: 11000000 11016000   image11000000

ModLoad: 11000000 11016000   C:\Documents and Settings\Vladimir Scherbina\LocalSettings\Application Data\assembly\dl3\2AJQAA8N.E81\D2E4KLW7.N96\04a708e5\0007d162_1e06c701\inkarea.dll

ModLoad: 7afd0000 7b4e6000   System.Windows.Forms.dll

ModLoad: 7ade0000 7af74000  C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d8fb3fbffbd7c2419066781e01344f59\System.Drawing.ni.dll

ModLoad: 7afd0000 7bc56000   C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f51ae980020ed444a321d21d14c7e2cf\System.Windows.Forms.ni.dll

ModLoad: 7afd0000 7b4e6000   C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll

ModLoad: 7ade0000 7af74000   C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\d8fb3fbffbd7c2419066781e01344f59\System.Drawing.ni.dll

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

ModLoad: 5e380000 5e409000   C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll

(9a0.bfc): C++ EH exception - code e06d7363 (first chance)

(9a0.bfc): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.bfc): C++ EH exception - code e06d7363 (first chance)

(9a0.bfc): CLR exception - code e0434f4d (first chance)

(9a0.bfc): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): C++ EH exception - code e06d7363 (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

(9a0.8a0): CLR exception - code e0434f4d (first chance)

ModLoad: 35c50000 35c89000   C:\WINDOWS\system32\Dxtrans.dll

ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL

ModLoad: 6d430000 6d43a000   C:\WINDOWS\system32\ddrawex.dll

ModLoad: 73760000 737a9000   C:\WINDOWS\system32\DDRAW.dll

ModLoad: 73bc0000 73bc6000   C:\WINDOWS\system32\DCIMAN32.dll

ModLoad: 35cb0000 35d07000   C:\WINDOWS\system32\Dxtmsft.dll

(9a0.bfc): CLR exception - code e0434f4d (first chance)

(9a0.bfc): CLR exception - code e0434f4d (!!! second chance !!!)

eax=05ddf9ac ebx=0358f760 ecx=00000000 edx=00000025 esi=05ddfa38 edi=e0434f4d

eip=7c81eb33 esp=05ddf9a8 ebp=05ddf9fc iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

kernel32!RaiseException+0x53:

7c81eb33 5e              pop     esi

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

0:000> bp LoadLibraryA

*** ERROR: Module load completed but symbols could not be loaded for iexplore.exe

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\iertutil.dll -

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\urlmon.dll -

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\SHLWAPI.dll -

0:000> bp LoadLibraryW

0:000> bl

 0 e 7c801d77     0001 (0001)  0:**** kernel32!LoadLibraryA

 1 e 7c80acd3     0001 (0001)  0:**** kernel32!LoadLibraryW

0:000> g

Then I started analyzing the code when each LoadLibrary function was called. The most interesting piece came when IE loaded the mscorwks library. Before IE dies I see the following call:

mscorwks!GetCompileInfo+0x40f5f:

7a006ece e809692b00      call    mscorwks!NGenCreateNGenWorker+0x630e1 (7a2bd7dc)

0:018> g

Breakpoint 0 hit

eax=00000001 ebx=00000000 ecx=00000004 edx=00000000 esi=00000800 edi=00000001

eip=7c801d77 esp=0607cdd0 ebp=0607d7fc iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

kernel32!LoadLibraryA:

7c801d77 8bff            mov     edi,edi

0:018> g

(8f8.f8c): CLR exception - code e0434f4d (first chance)